중앙데일리

‘Server attack purely destructive’: Nonghyup

34 minutes of card transactions lost from both server and backup

농협 “해킹 넘어선 고도의 사이버 테러…데이터 4억2000만개 복원 중” Apr 19,2011

Financial Supervisory Service (FSS) officials enter the IT department at the headquarters of the National Agricultural Cooperative Federation, or Nonghyup, in Yangjae, Seocho District, southern Seoul, yesterday. The FSS and the Bank of Korea are conducting a joint investigation into its network failure. [YONHAP]

Nonghyup yesterday tentatively concluded that its recent server crash, the worst in the history of Korea’s financial industry, was a purely destructive cyberattack that required advanced techniques beyond amateur hacking.

“The goal of hacking is for an outsider to infiltrate a system and profit by acquiring specific information,” said Kim You-kyung, head of a special recovery task force at Nonghyup. “However, in this case the infiltration was made from within Nonghyup and a command to destroy all server systems was attempted simultaneously.”

Credit card transactions between 4:56 p.m. and 5:30 p.m. on Tuesday were deleted not only from the main server but also from the backup server.

Emphasizing that this type of security breach was unheard of not only in Korea but anywhere in the world, Kim said the command that was made from a laptop computer of an IBM employee subcontracted by Nonghyup was planned with precision, was meant to do the utmost destruction, and the person who created the command must have had a high level of experience.

“Across the electronic field in general, a file delete command is the highest command,” said Lee Jae-kwan, Nonghyup’s executive director. “It is a command that cannot be and should not be made,” Lee added. “A command that is unimaginable entered the electronic network.”

Lee added that there was no information leak as in the case of Hyundai Capital.

“Additional commands like ‘copy’ have to be made in order to leak information,” Lee said. “But in our situation there was only a command for deleting data.”

Nonghyup did not clarify the motive of the attack. It only confirmed that the intention was to crash the entire network rather than trying to make a profit by stealing specific information.

It said that it doubted the attack was meant as personal revenge by a disgruntled individual.

It didn’t say if the attack was an inside job, though Nonghyup is leaning toward that conclusion. But it didn’t exclude the possibility of an outside attack.

The company also didn’t clarify whether the laptop that made the command was connected to an outside Internet service.

Nonghyup said the attack was not limited to a specific server but to all of them since the servers are physically connected.

When asked about the employee whose laptop ordered the command, Nonghyup said it is investigating CCTV records.

Almost a week has gone by since Nonghyup’s system collapsed, affecting 30 million account holders.

The biggest problem with the system now is in credit card transactions. Between April 12, when the server crashed, and April 18, customers made 73,500 transactions worth 57.8 billion won ($53 million). Lee said all of the payments will be properly made.

Nonghyup said roughly 5 percent of the data on credit card transactions was lost after the servers were forced to shut down. It expects a full recovery of the lost data by April 22.

Nonghyup said it will compensate customers for all damages, including late loan interest payments and commissions.

“Nonghyup needs to quickly recover all of its systems by Wednesday since most of the company’s salary payments are made on the 21st of every month and credit card payments are made after that,” said a financial industry official. “Nonghyup’s credibility could be hurt if this situation, which is already extremely serious, is not resolved quickly.”

As it happens, the financial industry was warned of security vulnerabilities.

The Financial Supervisory Service pointed out to financial companies in 2009 that there could be system freeze attacks in the case of large-size financial firms and attacks of customer information in the case of small and midsize firms.

The FSS even predicted how networks could be crashed or hacked two years ago. Data released by the FSS in 2009 highlighted the need to enhance security of open servers like home pages.

As was seen in the Hyundai Capital hacking incident, lax monitoring of its customer management server, which was shared with partner firms, and home pages for customers was the cause of the information leak.

The financial regulator also pointed out that there should be tighter restrictions on access to servers by contractors as well as internal employees.

“We have decided to inspect the safety of financial institutions because the public is feeling insecure due to the recent incidents, including the hacking of Hyundai Capital,” said Hwang Chul-jeung, director of the Korea Communication Commission’s network policy bureau.